Found by the wychcheck-jce Wycheproof runner.
Failing test
Root cause
After cipher.init(ENCRYPT_MODE, key, params) + cipher.doFinal(pt), a second cipher.doFinal(pt) silently succeeds and produces identical ciphertext with the same IV.
The JCE spec and NIST SP 800-38D require that an AES-GCM implementation detect IV reuse and throw IllegalStateException. OpenJDK SunJCE throws on the second doFinal(). wolfJCE does not.
Encrypting twice with the same key and IV leaks the GHASH authentication subkey, breaking AES-GCM's authentication security completely.
Priority
Low — affects code that calls doFinal() twice on the same initialized Cipher object without re-calling init(), which is unusual in practice.
Found by the wychcheck-jce Wycheproof runner.
Failing test
AesGcmTest.testIvReuseRoot cause
After
cipher.init(ENCRYPT_MODE, key, params)+cipher.doFinal(pt), a secondcipher.doFinal(pt)silently succeeds and produces identical ciphertext with the same IV.The JCE spec and NIST SP 800-38D require that an AES-GCM implementation detect IV reuse and throw
IllegalStateException. OpenJDK SunJCE throws on the seconddoFinal(). wolfJCE does not.Encrypting twice with the same key and IV leaks the GHASH authentication subkey, breaking AES-GCM's authentication security completely.
Priority
Low — affects code that calls
doFinal()twice on the same initializedCipherobject without re-callinginit(), which is unusual in practice.